Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How do I stop burpcollaborator hitting my site?

D | Last updated: Jun 17, 2022 11:40AM UTC

I am running some servers for personal use and have never used burp suite or any of your tools. But my nginx logs are showing loads of hits with burpcollaborator.net in the UA I've blocked the IP they are coming from with my firewall, but now some of my other servers are having similar hits appearing in logs. I have not initiated these attacks as I have never used any of your tools, and I have not given anyone else access to my servers. Is there a simple way I can prevent these hits from ever hitting my webservers? And is there a way I can find out who initiated the requests?

Hannah, PortSwigger Agent | Last updated: Jun 17, 2022 01:39PM UTC

From what you’ve described, it sounds like someone was performing an unauthorized automated scan of your website using our product, Burp Suite. As part of scanning, Burp sends various payloads like the one you observed, using domain names ending in “burpcollaborator.net” or "oastify.com". These are designed to trigger interactions with the Collaborator server when certain vulnerabilities are present in the system being scanned. The Collaborator server does not initiate any connections to any system. You can find out more about the Collaborator server here: https://portswigger.net/burp/documentation/collaborator Regarding being able to identify the person responsible for these scans, I am afraid that we do not track our users’ activity in any way, and there is no way for us in principle to obtain this information. The long subdomain strings in the test payloads are purely random and are generated by the instance of Burp doing the scanning, and we don’t have any way of mapping these back to an individual user. We would suggest that your best approach to identifying the perpetrator would be by investigating the source IP address of these requests.

Scott | Last updated: Feb 04, 2023 11:07PM UTC

Use timers send two requests first one to start the timer and once the viewer receives a response from the server immediately send the request you originally wanted to send if the server receives the second request in too long amount of time ignore it.

Janna | Last updated: Sep 17, 2024 11:05AM UTC